Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1173
Views
5
Helpful
3
Replies

blocking connections

Go to solution
suthomas1
Level 6
Level 6

‎10-17-2010 09:39 AM - edited ‎03-11-2019 11:55 AM

If there is a need to block unwanted or malicious connections on firewall, shun is advised.

Appreciate if any of the gurus here can help me understand what is different in shun than using the ACL for the same purpose.

In which typical scenario is shun preferred over acl.

TIA.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
praprama
Cisco Employee
Cisco Employee

‎10-17-2010 05:16 PM

Hi,

Another difference between "shun" and ACLs is in the packet processing. "Shun"ning is performed at the very first in the packet processing steps while ACL checks are performed after a "Flow lookup" or "Connection entry" lookup.

So basically it means, if there is an exisiting connection for some kind of traffic and you decide to block it using ACLs it will not happen unless that connection is torn down and a new one created. But if you decide to "shun" that host, then in spite of the exisiting connection entry "anything and everything" from the host will be blocked.

This is the reason why when we configure IPS to block hosts on ASAs (using signature action as "request block"), it uses the "shun" command rather than ACLs (which it uses for router's and switches).

Hope that is clear!!

Thanks and Regards,
Prapanch

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jitendriya Athavale
Cisco Employee
Cisco Employee

‎10-17-2010 09:49 AM

acl will drop everything between a source and destination

whereas using shun you can specify a threshold after which it will start shunning, for example say if you see x number of packets in a duration of y mins from z shun the traffic

hope it helps

- JA

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎10-17-2010 10:12 AM

Hello,

Shun will block everything from the specified host, ACL`s will allow you to permit some ports/protocols and deny the rest of the traffic from the specified host.

Cheers

Mike

Mike

Go to solution
praprama
Cisco Employee
Cisco Employee

‎10-17-2010 05:16 PM

Hi,

Another difference between "shun" and ACLs is in the packet processing. "Shun"ning is performed at the very first in the packet processing steps while ACL checks are performed after a "Flow lookup" or "Connection entry" lookup.

So basically it means, if there is an exisiting connection for some kind of traffic and you decide to block it using ACLs it will not happen unless that connection is torn down and a new one created. But if you decide to "shun" that host, then in spite of the exisiting connection entry "anything and everything" from the host will be blocked.

This is the reason why when we configure IPS to block hosts on ASAs (using signature action as "request block"), it uses the "shun" command rather than ACLs (which it uses for router's and switches).

Hope that is clear!!

Thanks and Regards,
Prapanch

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card